Skip to content

Instantly share code, notes, and snippets.

@JulienBreux
Last active Jul 1, 2021
Embed
What would you like to do?
CKA-07-2021 - Certification Kubernetes Administrator

JSON Path

Get restart count from container name

$.status.containerStatuses[?(@.name == 'xxx-container')].restartCount

Print node addresses

$.items[*].status.addresses[?(@.type=="InternalIP")].address

Get name of all resources

$[*].metadata.name

Events

List latest events ordered by time

kubectl get events -A --sort-by=.metadata.creationTimestamp

Resources

List all namespaced API resources by name

kubectl api-resources --namespaced -o name

Pods

Create pod on specific node

spec:
  nodeName: my-node

Create pod on specific tainted node

spec:
  tolerations:
  - effect: NoSchedule
    key: node-role.kubernetes.io/master

List pods with labels

Command:

kubectl get pods -L app,run

Note: This prevent using -o yaml or describe to just read a well-known label.

Create a pods with requests

kubectl run my-pod \
    --image=nginx:alpine \
    --requests "cpu=10m,memory=10Mi" \
    -o yaml \
    --dry-run=client > my-pod.yaml

Services

Expose to pod to NodePort on 80

kubectl expose pod my-pod \
  --name my-pod-service \
  --type=NodePort \
  --port 80

Certificates

Check certificate validity using openssl

Command:

openssl x509 \
    -noout \
    -text \
    -in /etc/kubernetes/pki/XXX.crt | grep Validity -A2

Output:

Validity
    Not Before: Xxx xx xx:xx:xx xxxx GMT
    Not After : Xxx xx xx:xx:xx xxxx GMT

Check certificate validity using kubeadm

Command:

kubeadm certs check-expiration

Output:

[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Xxx xx, xxxx xx:xx UTC   xxxd                                    no      
apiserver                  Xxx xx, xxxx xx:xx UTC   xxxd            ca                      no      
apiserver-etcd-client      Xxx xx, xxxx xx:xx UTC   xxxd            etcd-ca                 no      
apiserver-kubelet-client   Xxx xx, xxxx xx:xx UTC   xxxd            ca                      no      
controller-manager.conf    Xxx xx, xxxx xx:xx UTC   xxxd                                    no      
etcd-healthcheck-client    Xxx xx, xxxx xx:xx UTC   xxxd            etcd-ca                 no      
etcd-peer                  Xxx xx, xxxx xx:xx UTC   xxxd            etcd-ca                 no      
etcd-server                Xxx xx, xxxx xx:xx UTC   xxxd            etcd-ca                 no      
front-proxy-client         Xxx xx, xxxx xx:xx UTC   xxxd            front-proxy-ca          no      
scheduler.conf             Xxx xx, xxxx xx:xx UTC   xxxd                                    no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Xxx xx, xxxx xx:xx UTC   xy              no      
etcd-ca                 Xxx xx, xxxx xx:xx UTC   xy              no      
front-proxy-ca          Xxx xx, xxxx xx:xx UTC   xy              no

Renew api server certificate using kubeadm

Command:

kubeadm certs renew apiserver

Get kubelet client issuer

openssl x509  -noout -text -in /var/lib/kubelet/pki/kubelet-client-current.pem | grep Issuer

Get kubelet issuer

openssl x509  -noout -text -in /var/lib/kubelet/pki/kubelet.cert | grep Issuer

kubelet

Systemd configuration

/etc/systemd/system/kubelet.service.d/10-kubeadm.conf

etcd

Backing-up

Get arguments:

cat /etc/kubernetes/manifests/kube-apiserver.yaml | grep etcd

Output:

- --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt
- --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
- --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key
- --etcd-servers=https://127.0.0.1:2379

Command:

ETCDCTL_API=3 etcdctl snapshot save /tmp/etcd-backup.db \
--cacert /etc/kubernetes/pki/etcd/ca.crt \
--cert /etc/kubernetes/pki/etcd/server.crt \
--key /etc/kubernetes/pki/etcd/server.key

Restore

Command:

ETCDCTL_API=3 etcdctl snapshot restore /tmp/etcd-backup.db \
--data-dir /var/lib/etcd-backup

Change volume in static etcd pod:

vim /etc/kubernetes/manifests/etcd.yaml
  volumes:
  - hostPath:
      path: /var/lib/etcd-backup
      type: DirectoryOrCreate
    name: etcd-data
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment